secured dynamic updates. caution portions of this slide set present features that do not appear in...
TRANSCRIPT
![Page 1: Secured Dynamic Updates. Caution Portions of this slide set present features that do not appear in BIND until BIND 9.3 –Snapshot code is available for](https://reader035.vdocuments.mx/reader035/viewer/2022062720/56649f185503460f94c2ed2a/html5/thumbnails/1.jpg)
Secured Dynamic Updates
![Page 2: Secured Dynamic Updates. Caution Portions of this slide set present features that do not appear in BIND until BIND 9.3 –Snapshot code is available for](https://reader035.vdocuments.mx/reader035/viewer/2022062720/56649f185503460f94c2ed2a/html5/thumbnails/2.jpg)
Caution
• Portions of this slide set present features that do not appear in BIND until BIND 9.3– Snapshot code is available for this
• BIND 9.2 can perform most of the dynamic update features
![Page 3: Secured Dynamic Updates. Caution Portions of this slide set present features that do not appear in BIND until BIND 9.3 –Snapshot code is available for](https://reader035.vdocuments.mx/reader035/viewer/2022062720/56649f185503460f94c2ed2a/html5/thumbnails/3.jpg)
Outline
• Dynamic Update Basics• Setting Up A Dynamic Zone• Tools• Securing It• Authorization Configuration• Playing with Update Commands• Interactions with DHCP
![Page 4: Secured Dynamic Updates. Caution Portions of this slide set present features that do not appear in BIND until BIND 9.3 –Snapshot code is available for](https://reader035.vdocuments.mx/reader035/viewer/2022062720/56649f185503460f94c2ed2a/html5/thumbnails/4.jpg)
Getting Data Into DNS
Network Database
Primary NS$origin z.@ soa ns ro ns ns1.ns a 1.1.1.1
Zone File
Secondary NS
AXFR
Dynamic Update
![Page 5: Secured Dynamic Updates. Caution Portions of this slide set present features that do not appear in BIND until BIND 9.3 –Snapshot code is available for](https://reader035.vdocuments.mx/reader035/viewer/2022062720/56649f185503460f94c2ed2a/html5/thumbnails/5.jpg)
Advantages of Dynamic Updates
• Change DNS data quickly
• Make changes from anywhere
• No need to reload whole zone
• Data becomes more current
![Page 6: Secured Dynamic Updates. Caution Portions of this slide set present features that do not appear in BIND until BIND 9.3 –Snapshot code is available for](https://reader035.vdocuments.mx/reader035/viewer/2022062720/56649f185503460f94c2ed2a/html5/thumbnails/6.jpg)
Uses of Dynamic Update
• Adding a new delegation to a large zone– Cut down on reload times
• Conference attendees– Laptops can use same name, new IP
![Page 7: Secured Dynamic Updates. Caution Portions of this slide set present features that do not appear in BIND until BIND 9.3 –Snapshot code is available for](https://reader035.vdocuments.mx/reader035/viewer/2022062720/56649f185503460f94c2ed2a/html5/thumbnails/7.jpg)
Risks of Dynamic Update
• Authoritative servers listen to the network for data
• Authorization checks needed before accepting a request
• Server risks being tied up with updates
• Dynamic zones are hard to edit via "the old ways"
![Page 8: Secured Dynamic Updates. Caution Portions of this slide set present features that do not appear in BIND until BIND 9.3 –Snapshot code is available for](https://reader035.vdocuments.mx/reader035/viewer/2022062720/56649f185503460f94c2ed2a/html5/thumbnails/8.jpg)
Other Considerations
• Once a zone goes dynamic, it is hard to edit
• Mixing dynamic data and critical static data is a bad idea, even neglecting security concerns
• This isn't meant to scare you from dynamic update, but to alert you
![Page 9: Secured Dynamic Updates. Caution Portions of this slide set present features that do not appear in BIND until BIND 9.3 –Snapshot code is available for](https://reader035.vdocuments.mx/reader035/viewer/2022062720/56649f185503460f94c2ed2a/html5/thumbnails/9.jpg)
"Secure" Dynamic Update
• Secure refers to the safety of the update requests– Only the right clients will be able to get
data into the zone
• Limitations on the term "secure"– Won't stop anyone issuing bad requests– Doesn't address DNSSEC, adding digital
signatures to the zone
![Page 10: Secured Dynamic Updates. Caution Portions of this slide set present features that do not appear in BIND until BIND 9.3 –Snapshot code is available for](https://reader035.vdocuments.mx/reader035/viewer/2022062720/56649f185503460f94c2ed2a/html5/thumbnails/10.jpg)
Tools
• In order to do any of this, we need tools (software)
• All are part of a BIND 9 distribution– named - the server, concentrating on conf file– dig - a query/response tool– nsupdate - issues dynamic update messages– rndc - remote name server daemon control– dnssec-keygen - makes the keys needed
![Page 11: Secured Dynamic Updates. Caution Portions of this slide set present features that do not appear in BIND until BIND 9.3 –Snapshot code is available for](https://reader035.vdocuments.mx/reader035/viewer/2022062720/56649f185503460f94c2ed2a/html5/thumbnails/11.jpg)
A static zone
zone "myzone.example." { type master; file "myzone.example."; allow-transfer { any; };};
![Page 12: Secured Dynamic Updates. Caution Portions of this slide set present features that do not appear in BIND until BIND 9.3 –Snapshot code is available for](https://reader035.vdocuments.mx/reader035/viewer/2022062720/56649f185503460f94c2ed2a/html5/thumbnails/12.jpg)
Adding a dynamic zone
zone "myzone.example." { type master; file "myzone.example."; allow-transfer { any; };};zone "dynamic.myzone.example." { type master; file "dynamic.myzone.example."; allow-transfer { any; };
allow-update { any; }; };//note: on-line slide is different
![Page 13: Secured Dynamic Updates. Caution Portions of this slide set present features that do not appear in BIND until BIND 9.3 –Snapshot code is available for](https://reader035.vdocuments.mx/reader035/viewer/2022062720/56649f185503460f94c2ed2a/html5/thumbnails/13.jpg)
dynamic.myzone.example
> cat db.dynamic.myzone.example
$ORIGIN dynamic.myzone.example.$TTL 1d ; 1 day@ IN SOA ns1 root ( 1 ;
serial 30m ; refresh
(30 minutes) 15m ;retry
(15 minutes) 19h ;expire
(19h12m) 18min ;minimum
(18min) )
NS ns1.myzone.example
![Page 14: Secured Dynamic Updates. Caution Portions of this slide set present features that do not appear in BIND until BIND 9.3 –Snapshot code is available for](https://reader035.vdocuments.mx/reader035/viewer/2022062720/56649f185503460f94c2ed2a/html5/thumbnails/14.jpg)
Journal Files
• Once a dynamic zone begins running– A journal file (<zonefile>.jnl) is created
when the first dynamic update has been made
– This binary, non-text file maintains all updates in recent times
– Updates aren't immediately reflected in the original <zonefile>, but they are eventually
– Journal entries are written to the zone file at server shutdown (and on demand)
![Page 15: Secured Dynamic Updates. Caution Portions of this slide set present features that do not appear in BIND until BIND 9.3 –Snapshot code is available for](https://reader035.vdocuments.mx/reader035/viewer/2022062720/56649f185503460f94c2ed2a/html5/thumbnails/15.jpg)
dig
• Basic debugging aid
• dig @server domain.name type
• Used to verify that change has been made
• Used to verify that SOA number increments
![Page 16: Secured Dynamic Updates. Caution Portions of this slide set present features that do not appear in BIND until BIND 9.3 –Snapshot code is available for](https://reader035.vdocuments.mx/reader035/viewer/2022062720/56649f185503460f94c2ed2a/html5/thumbnails/16.jpg)
dig examples
> dig @127.0.0.1 version.bind chaos txt
> dig @127.0.0.1 myzone.example. soa +multiline
> dig @127.0.0.1 dynamic.myzone.example. soa
![Page 17: Secured Dynamic Updates. Caution Portions of this slide set present features that do not appear in BIND until BIND 9.3 –Snapshot code is available for](https://reader035.vdocuments.mx/reader035/viewer/2022062720/56649f185503460f94c2ed2a/html5/thumbnails/17.jpg)
nsupdate
• Generates updates based upon user input
• Used to make requested updates
![Page 18: Secured Dynamic Updates. Caution Portions of this slide set present features that do not appear in BIND until BIND 9.3 –Snapshot code is available for](https://reader035.vdocuments.mx/reader035/viewer/2022062720/56649f185503460f94c2ed2a/html5/thumbnails/18.jpg)
nsupdate example
% nsupdate
> server 127.0.0.1
> zone dynamic.myzone.example.
> update add alu.dynamic.myzone.example. 600 A192.168.160.1
> update add dynamic.myzone.example. 600 MX 10 alu
> send
> quit
• Just to check our work...% dig @127.0.0.1 alu.dynamic.myzone.example. A
% dig @127.0.0.1 dynamic.myzone.example. MX
![Page 19: Secured Dynamic Updates. Caution Portions of this slide set present features that do not appear in BIND until BIND 9.3 –Snapshot code is available for](https://reader035.vdocuments.mx/reader035/viewer/2022062720/56649f185503460f94c2ed2a/html5/thumbnails/19.jpg)
rndc
• "Remote" management of server, usually across 127.0.0.1
• Used to stop, reload server
• Used to freeze and unfreeze dynamic zone { available in BIND 9.3 }
![Page 20: Secured Dynamic Updates. Caution Portions of this slide set present features that do not appear in BIND until BIND 9.3 –Snapshot code is available for](https://reader035.vdocuments.mx/reader035/viewer/2022062720/56649f185503460f94c2ed2a/html5/thumbnails/20.jpg)
rndc examples
% rndc -c rndc.conf status
% rndc -c rndc.conf reload
% rndc -c rndc.conf freeze dynamic.myzone.example
% rndc -c rndc.conf unfreeze dynamic.myzone.example
% rndc -c rndc.conf stop
NOTE: "freeze" and "unfreeze" are introduced in BIND 9.3
![Page 21: Secured Dynamic Updates. Caution Portions of this slide set present features that do not appear in BIND until BIND 9.3 –Snapshot code is available for](https://reader035.vdocuments.mx/reader035/viewer/2022062720/56649f185503460f94c2ed2a/html5/thumbnails/21.jpg)
dnssec-keygen
• Simple tool to generate keys
• Used for DNSSEC too
• Used here to generate TSIG keys
• Used also to generate SIG(0) keys - in version 9.3
![Page 22: Secured Dynamic Updates. Caution Portions of this slide set present features that do not appear in BIND until BIND 9.3 –Snapshot code is available for](https://reader035.vdocuments.mx/reader035/viewer/2022062720/56649f185503460f94c2ed2a/html5/thumbnails/22.jpg)
dnssec-keygen tsig example
% dnssec-keygen -a HMAC-MD5 -b 128 -n host sample.tsig.key
Ksample.tsig.key.+157+02308
% ls Ksample*
Ksample.tsig.key.+157+02308.key Ksample.tsig.key.+157+02308.private
![Page 23: Secured Dynamic Updates. Caution Portions of this slide set present features that do not appear in BIND until BIND 9.3 –Snapshot code is available for](https://reader035.vdocuments.mx/reader035/viewer/2022062720/56649f185503460f94c2ed2a/html5/thumbnails/23.jpg)
dnssec-keygen sig(0) example
% dnssec-keygen -a RSA -b 512 -n host sample.tsig.key
Ksample.tsig.key.+001+18681
% ls Ksam*
Ksample.tsig.key.+001+18681.key Ksample.tsig.key.+157+02308.key
Ksample.tsig.key.+001+18681.private Ksample.tsig.key.+157+02308.private
![Page 24: Secured Dynamic Updates. Caution Portions of this slide set present features that do not appear in BIND until BIND 9.3 –Snapshot code is available for](https://reader035.vdocuments.mx/reader035/viewer/2022062720/56649f185503460f94c2ed2a/html5/thumbnails/24.jpg)
"Secured" Dynamic Update
• Limited to the security of the requests
• Dynamic Updates to a DNSSEC zone is a work in progress
• Two steps– Identify and authenticate the updater– Determine if updater is authorized
![Page 25: Secured Dynamic Updates. Caution Portions of this slide set present features that do not appear in BIND until BIND 9.3 –Snapshot code is available for](https://reader035.vdocuments.mx/reader035/viewer/2022062720/56649f185503460f94c2ed2a/html5/thumbnails/25.jpg)
Steps
• Create a separate zone for dynamic updates– (Done)
• Configure keys
• Configure policy
![Page 26: Secured Dynamic Updates. Caution Portions of this slide set present features that do not appear in BIND until BIND 9.3 –Snapshot code is available for](https://reader035.vdocuments.mx/reader035/viewer/2022062720/56649f185503460f94c2ed2a/html5/thumbnails/26.jpg)
Configuring Keys
• Two styles– TSIG - shared secret– SIG (0) - public key
• TSIG– works in 9.2, secret needed in named.conf (or
“include”) and in client
• SIG(0)– needs 9.3, public key listed in the zone file (not
in named.conf) and private key in client
![Page 27: Secured Dynamic Updates. Caution Portions of this slide set present features that do not appear in BIND until BIND 9.3 –Snapshot code is available for](https://reader035.vdocuments.mx/reader035/viewer/2022062720/56649f185503460f94c2ed2a/html5/thumbnails/27.jpg)
TSIG keys
• Issue: Naming the key– Name is arbitrary, but must be consistent
between the named.conf and client– There is an advantage to making it the
same as a domain in the zone
• To test the keys, turn on key-based authorization of AXFR - just for testing
![Page 28: Secured Dynamic Updates. Caution Portions of this slide set present features that do not appear in BIND until BIND 9.3 –Snapshot code is available for](https://reader035.vdocuments.mx/reader035/viewer/2022062720/56649f185503460f94c2ed2a/html5/thumbnails/28.jpg)
Making TSIG keys
• dnssec-keygen -a HMAC-MD5 -b 128 -n host \ slave1.dynamic.myzone.example.
• dnssec-keygen -a HMAC-MD5 -b 128 -n host \ slave2.dynamic.myzone.example.
• ls:
Kslave1.dynamic.myzone.example.+157+42488.key
Kslave1.dynamic.myzone.example.+157+42488.private
Kslave2.dynamic.myzone.example.+157+57806.key
Kslave2.dynamic.myzone.example.+157+57806.private
![Page 29: Secured Dynamic Updates. Caution Portions of this slide set present features that do not appear in BIND until BIND 9.3 –Snapshot code is available for](https://reader035.vdocuments.mx/reader035/viewer/2022062720/56649f185503460f94c2ed2a/html5/thumbnails/29.jpg)
Adding TSIG to named.conf
key “slave1.dynamic.myzone.example." {
algorithm HMAC-MD5;
secret "sd7qi6tiw+N5fK3mGNDNJU9TwIju+1ye7r2shgfkxIg=";
};
key “slave2.dynamic.myzone.example." {
algorithm HMAC-MD5;
secret "KXMoZHZIIxVsxKp4aUp6YTy3EswUN9CeDEpneJDOgVM=";
};
![Page 30: Secured Dynamic Updates. Caution Portions of this slide set present features that do not appear in BIND until BIND 9.3 –Snapshot code is available for](https://reader035.vdocuments.mx/reader035/viewer/2022062720/56649f185503460f94c2ed2a/html5/thumbnails/30.jpg)
Configuring TSIG AXFR
• Just so we can see that the keys work
zone "dynamic.myzone.example." { type master; file "dynamic.myzone.example."; allow-transfer { key slave1.dynamic.myzone.example.;
key slave2.dynamic.myzone.example.;
}; allow-update { 127.0.0.1; };};
![Page 31: Secured Dynamic Updates. Caution Portions of this slide set present features that do not appear in BIND until BIND 9.3 –Snapshot code is available for](https://reader035.vdocuments.mx/reader035/viewer/2022062720/56649f185503460f94c2ed2a/html5/thumbnails/31.jpg)
Testing with dig
• Fails:% dig @127.0.0.1 dynamic.myzone.example. axfr
• Succeeds:% dig @127.0.0.1 dynamic.myzone.example. axfr
-y slave1.dynamic.myzone.example.:KXMoZHZIIxVsxKp4aUp6YTy3EswUN9CeDEpneJDOgVM=
• This shows that the TSIG key is properly configured in named.conf
![Page 32: Secured Dynamic Updates. Caution Portions of this slide set present features that do not appear in BIND until BIND 9.3 –Snapshot code is available for](https://reader035.vdocuments.mx/reader035/viewer/2022062720/56649f185503460f94c2ed2a/html5/thumbnails/32.jpg)
Key based dynamic updates (TSIG)
zone "dynamic.myzone.example." { type master; file "dynamic.myzone.example."; allow-transfer { key
slave1.dynamic.myzone.example.; key
slave2.dynamic.myzone.example.; }; allow-update { key user1.dynamic.myzone.example.; key user2.dynamic.myzone.example.; };};
![Page 33: Secured Dynamic Updates. Caution Portions of this slide set present features that do not appear in BIND until BIND 9.3 –Snapshot code is available for](https://reader035.vdocuments.mx/reader035/viewer/2022062720/56649f185503460f94c2ed2a/html5/thumbnails/33.jpg)
"Keying" nsupdate
• The next three slides show different ways to add key information to nsupdate– first hides key from "ps -aux" by entering
it interactively– second hides it by referencing the file it is
in– last puts the secret on the command line
![Page 34: Secured Dynamic Updates. Caution Portions of this slide set present features that do not appear in BIND until BIND 9.3 –Snapshot code is available for](https://reader035.vdocuments.mx/reader035/viewer/2022062720/56649f185503460f94c2ed2a/html5/thumbnails/34.jpg)
Keyed nsupdate #1
% nsupdate
> zone dynamic.myzone.example.
> server 127.0.0.1
> key user1.dynamic.myzone.example. sd7qi6tiw+N5fK3mGNDNJU9TwIju+1ye7r2shgfkxIg=
> update add puri.dynamic.myzone.example. 600 A 192.168.50.1
> send
% dig @127.0.0.1 puri.dynamic.myzone.example A
![Page 35: Secured Dynamic Updates. Caution Portions of this slide set present features that do not appear in BIND until BIND 9.3 –Snapshot code is available for](https://reader035.vdocuments.mx/reader035/viewer/2022062720/56649f185503460f94c2ed2a/html5/thumbnails/35.jpg)
Keyed nsupdate #2
% nsupdate -k Kuser1.dynamic.myzone.example.+157+57806.
> zone dynamic.myzone.example.
> server 127.0.0.1
> update add alu.dynamic.myzone.example. 900 A 192.168.50.2
> Send
% dig @127.0.0.1 alu.dynamic.myzone.example A
![Page 36: Secured Dynamic Updates. Caution Portions of this slide set present features that do not appear in BIND until BIND 9.3 –Snapshot code is available for](https://reader035.vdocuments.mx/reader035/viewer/2022062720/56649f185503460f94c2ed2a/html5/thumbnails/36.jpg)
Keyed nsupdate #3
% nsupdate -y Kuser1.dynamic.myzone.example.:sd7qi6tiw+N5fK3mGNDNJU9TwIju+1ye7r2shgfkxIg=
> zone dynamic.myzone.example.
> server 127.0.0.1
> update add palak.dynamic.myzone.example. A 90 192.168.50.2
> send
% dig @127.0.0.1 palak.dynamic.myzone.example. A
![Page 37: Secured Dynamic Updates. Caution Portions of this slide set present features that do not appear in BIND until BIND 9.3 –Snapshot code is available for](https://reader035.vdocuments.mx/reader035/viewer/2022062720/56649f185503460f94c2ed2a/html5/thumbnails/37.jpg)
Interaction with DHCP
• See the following URL for in-depth information– http://ops.ietf.org/dns/dynupd/secure-ddn
s-howto.html
![Page 38: Secured Dynamic Updates. Caution Portions of this slide set present features that do not appear in BIND until BIND 9.3 –Snapshot code is available for](https://reader035.vdocuments.mx/reader035/viewer/2022062720/56649f185503460f94c2ed2a/html5/thumbnails/38.jpg)
How DHCP and DynUp Look
Mirchi.net.32.7.275.in-addr.arpa.
leases for 275.7.32.0-127
DNS
DHCP
apnic16.apnic.net32.43.320.in-addr.arpa.
leases for 320.43.32.0-127
DNS
DHCP
Home
@APNIC 16
chawla.mirchi.net
![Page 39: Secured Dynamic Updates. Caution Portions of this slide set present features that do not appear in BIND until BIND 9.3 –Snapshot code is available for](https://reader035.vdocuments.mx/reader035/viewer/2022062720/56649f185503460f94c2ed2a/html5/thumbnails/39.jpg)
How This Happens, part 1
• Host has a TSIG/SIG(0) to update the entrychawla.mirchi.net. A 275.7.32.17
• Home DHCP can change 32.7.275.in-addr.arpa. (via TSIG/SIG(0))17.32.7.275.in-addr.arpa PTR chawla.mirchi.net.
• APNIC16 DHCP can change 32.43.320.in-addr.arpa.17.32.43.320.in-addr.arpa PTR
chawla.mirchi.net.
![Page 40: Secured Dynamic Updates. Caution Portions of this slide set present features that do not appear in BIND until BIND 9.3 –Snapshot code is available for](https://reader035.vdocuments.mx/reader035/viewer/2022062720/56649f185503460f94c2ed2a/html5/thumbnails/40.jpg)
At Lease Change Time
• When releasing home address– Home DHCP removes the PTR record– Host alters/removes its A RR– Done via scripts (depends on DHCP software)
• When gaining APNIC 16 lease– APNIC 16 DHCP adds a PTR record– Host registers an A RR with the home server
![Page 41: Secured Dynamic Updates. Caution Portions of this slide set present features that do not appear in BIND until BIND 9.3 –Snapshot code is available for](https://reader035.vdocuments.mx/reader035/viewer/2022062720/56649f185503460f94c2ed2a/html5/thumbnails/41.jpg)
Questions?